From nobody Wed Jun 17 07:22:58 2026 Received: from LO2P265CU024.outbound.protection.outlook.com (mail-uksouthazon11021075.outbound.protection.outlook.com [52.101.95.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 190A033120A; Thu, 23 Apr 2026 14:52:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.95.75 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776955924; cv=fail; b=S/YwpfHTQcQz/5pefhKTAWdM7LKEXJesreIKK4NY+Dy5HRF/RE49+ih5m1QWjve/FkUH4+RDcmnlV2KUw5EtvxY2aIl/52+ChOjWrDBmdcSaF5Vxl6YOkaH69ATva6QdsAV66HEpWTRUHzk3/eyaOgPVtJ62leGgiraHdSRELjc= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776955924; c=relaxed/simple; bh=lE9MH9XNl72OP5jO9FeJl02P4hqFNG7a0bdbPPpA1F4=; h=From:Date:Subject:Content-Type:Message-Id:References:In-Reply-To: To:Cc:MIME-Version; b=BwXrBgZLzhDLDyzCizstx2Ax5/KBNzRIgBU2ZDoi3gHSWGvHp4hkiT4kruXovlE67sVuRXIbDofAgDWsy+A8BWwZUn9UtZHRnY8ZtIQg1TEmuV09MCbeipfBhC7296kWLqvbIsl8m9Y34qMcnpF/tcgOk2zMLefrbdvbee0TOyk= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=garyguo.net; spf=pass smtp.mailfrom=garyguo.net; dkim=pass (1024-bit key) header.d=garyguo.net header.i=@garyguo.net header.b=EHnxZyiI; arc=fail smtp.client-ip=52.101.95.75 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=garyguo.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=garyguo.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=garyguo.net header.i=@garyguo.net header.b="EHnxZyiI" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=V4l2O0xDUqQLv1Wkc1DiNRtEtQOkMe5vuaWHMHVQCLFI4mpKc7WXN7m6pDyCsexFvVUZZRCIRwjyjoK5nsWOBI/nLOB0sSncU+302dyTg/2RxgQ9JyogIZaj526f2TOUbVs7GblDr2oxiOXCpFO8JVvtc7urA0O7qxhNEUDSaxtzyD1Pft0V1v+GFtGR1+Wvqc8nbVs5+zsYNFtta+hVz9WzA3csmxKh7kFuK1nHQbO141zW22VC59otO1r69Md4uT+cXIKPBdRnzb5soea61gay3gLyuJ5ZIqP+FQSoVL5bbqp6q5LTyPQeqHMY+gBakdfrrjl8O1pl6Pdj9U5/GQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wm9isAD9Im96GPGZucluZt1ESMQJTo+v9qKWpOptXyM=; b=I/gJG63LUeBPhuU7+NEqwrfJUrhWPqvGmsWD/sZdAThx+k1SpGddRWyuylYPoLMHJIu0mrvC51RjLmOLF3gER6oHWqNt8HhDSsdOthANfISrQQH+tx2eIl0yQKI1ZO/dDA/8m5PR2DWQaE+2f3PVzKIr6lu5OUpZkfh+W6tXzrL0UcHRYJesNze0sdnhRSJ17kylefBYtIAUA8a+w6aY3eKtB3j4pSW5MBU2dTtmEUHMpu3K3Wr8DnCMCM1reltdfPJ/Ie84RsSyjDpcL23cHK7wgtjyHcqmaJl4Ii94Hv70OGPPSRAXrgIBk1KzZYRdXV8Emjn8Z0Ew03gUCduWAQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=garyguo.net; dmarc=pass action=none header.from=garyguo.net; dkim=pass header.d=garyguo.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garyguo.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wm9isAD9Im96GPGZucluZt1ESMQJTo+v9qKWpOptXyM=; b=EHnxZyiIAbzMCZSAGygSN1BCWeVY0Xk1s14dGflLOgu91JLIfArF4b9P0td23me09r2Y1u0eKCtIH6ksA3p8IVeXyViEghFtsXIzOzE1GzhPabpo9MQUezYgLk8l9+zOz9FZeHu4Id/+3a6dpbPGc6NUYLrrVkvO1IIfbvSWfaY= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=garyguo.net; Received: from CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:27c::13) by CW1P265MB8468.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:26e::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9846.21; Thu, 23 Apr 2026 14:51:57 +0000 Received: from CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM ([fe80::6c9e:93c8:10db:e995]) by CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM ([fe80::6c9e:93c8:10db:e995%6]) with mapi id 15.20.9846.016; Thu, 23 Apr 2026 14:51:56 +0000 From: Gary Guo Date: Thu, 23 Apr 2026 15:51:49 +0100 Subject: [PATCH v2 1/2] rust: pin-init: internal: move alignment check to `make_field_check` Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-pin-init-fix-v2-1-ee3081093a0e@garyguo.net> References: <20260423-pin-init-fix-v2-0-ee3081093a0e@garyguo.net> In-Reply-To: <20260423-pin-init-fix-v2-0-ee3081093a0e@garyguo.net> To: Benno Lossin , Gary Guo , Miguel Ojeda , Boqun Feng , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org X-Mailer: b4 0.15.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1776955915; l=5473; i=gary@garyguo.net; s=20221204; h=from:subject:message-id; bh=lE9MH9XNl72OP5jO9FeJl02P4hqFNG7a0bdbPPpA1F4=; b=XTPI6kN4xAC1qpNNrmtwXBkwRj9PWtXZtl8JW67fiNZnIG/13Cc3gbE4ul4PRkvY+uw9hdn27 AzlG1Mj/d70DJRJdKe6T/mQXlkEBA1qYwDpy+R0tW0wim1iWhOIX9FY X-Developer-Key: i=gary@garyguo.net; a=ed25519; pk=vB3uIX95SM4eVrIqo1DWNWKDKD2xzB+yLLLr0yOPYMo= X-ClientProxiedBy: LO4P265CA0115.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2c3::19) To CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:27c::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CW1P265MB8877:EE_|CW1P265MB8468:EE_ X-MS-Office365-Filtering-Correlation-Id: b865dd44-7653-47d6-7626-08dea147dd69 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|7416014|376014|1800799024|366016|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: ObageKMcyHlr7HwoRL6LLRkOIv/5k6lolMHycIyo3oA7c0vOzkv9QBGbTgoBMhlPZQ03QGvPYetPA8gUkx52HjrQJXwbSnOFDPhkX3xYUQKuseFRPNjVKJfffJvJsDHIVcaGZDb6aFL9Goq58v85iCdTQKD2th6axj2+8B6+tto7dDuu6sjk+QOIYiXryDgrJKMrYS8Luh5Z8zY+bdOcXBaR33kjR5HlQ8G8gY1b0aAXuPwacFU8eAxLeHA468Q6xhUfK1XBpNBX2geHh2YkBhKGP9wsawKRwtKvrsdgeXyAMuWzYkziytqqS7U2Lxa4j3TNq9JkRzhOq64ecp2KyhopfNUJCtMI3mcCr9sWK/6+/9uLG9byfCMN1x2hza0yxZkggNHet1uxAZK9T6UsgcPaA9y3YqCMmz8Qj5IovdpD117qnSJVTGUMiyTD5CQRAVGQB9EjKkhBDCW18w0iStk7dqk6xtRCfj0CeHxtERSObMnk28o0NYpzoK8Cca4K8NydI+A15veLK+P16yKYDtjoETLJj4T/AFpL9CotbAA5UiNxLjTAX1XQcQKfw0EuquGV76vJP8dZR141+uMlZdPNHBqW3qywL+4+HaNexww987dhaibz0X1upV0f8U0muWmD147Dkr+HiEyd4Eyp8hYgCvqK7xPDdeP7Fd2Wamp82biPXY3eOmGAVkKMu9y3L9JA0OJ6JxoBgeD2QoZ8SxK8cALyvtbmSRO/5CBpE9k= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(7416014)(376014)(1800799024)(366016)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?WkFZVlRiL0VHVzZtdXV2Z3VMQjBhdGdPVnlLNC9nNjU5L0FSaEpIcWlHNlF6?= =?utf-8?B?dHBYVWlhVXliK3Z1Z25CSnJMWmo5eVVuc3c3S2JIcjFMQWVueldzWGs0R3BB?= =?utf-8?B?OVRjN1NMRjRSZW1iOW9RMFR2dFRVc2I5STdQNGpCMm00dmJMRTBlRkQ5VEN0?= =?utf-8?B?cFVkcG44T2VzYWZNRk5rSU5CVjg5RHc2QldJNzAzKy9MOHZGMEVBNkFWbVUx?= =?utf-8?B?L1BzZXJ5RWZxZk0xeWlLeUxvaE5rczJ6T0FNQUZVZjdlb1A2bHRwMjFKSmMz?= =?utf-8?B?TGlVRkFKZlV1ODR5UFpnZUR5V1RLRHJPL05jT1duZVlRTFcwZjZqRjRhL3dH?= =?utf-8?B?NUVJa0c4RDh4VW9LTFFPNUhoZWJDQ1FMR3Q1YmEyTXozc0RKZWp1OFdRUmcx?= =?utf-8?B?OTdrcDNNMERaTG9PbUI4bmR5LzBHb1RxZkx3cm9adGliRXRtcVR3dVhaRkFO?= =?utf-8?B?VDBESDRQRHB6Y3dZY05jNGZVRmtHUkRFbFpBQ213Z2JHM3d0QlVHWnUrcEs4?= =?utf-8?B?K3VYSElqc0UvbUovU2hkb20rRDNDUlVlK1FOcTZJa2JOTS9JTDJBWmdKWlBI?= =?utf-8?B?UEwvVVA3eEt2YXhRMS9naDZMamlVdWtRYllGVG5Xc09vRVJaaDE3QTRNSnla?= =?utf-8?B?TGVtOGVNQWZaQ1BvZ0Fxbm81OUxCQmhia3hUOEJvZnFMdEN3QXlnbWZEZlR2?= =?utf-8?B?cWIwL1YrL0JEUFdwbk84aDZTVlVodGpRNXNzYk40Wm5JSzlGZFhqSzNFYmhY?= =?utf-8?B?SjBheHkwZG5NVWRzdFozRXFVT3p2OFYwbzlGWWRhRFQxeTI1UldxQlhUdzM2?= =?utf-8?B?bUV4M1J5YkloaUhWRzFreUtxc21VMlB4MC80dGd0TlV6NUp0Z1NrVjRtbTE4?= =?utf-8?B?SldxVUI3YkVqZVJ1VVdVRDEzUWVpUWVBTGRCcXZZTElqdnIySUpFNHZmNG9J?= =?utf-8?B?TVFseWwwTktxS0hNNzA2M2lGT0VYUVl1QzFQcW5PTnpRSmw2STNrNW55dGxj?= =?utf-8?B?NnR2MmZKRk1yekRaUXhWQnRZVG03aGN0UzdYbDlicFNSTWNOUmw2aUNFUTU5?= =?utf-8?B?dHNFZGJMOTdUQS9wVjNqdDJCdEJqRFgzYjFPYk56N3EycGsydDgyV3kyQ1Q3?= =?utf-8?B?eVF5eFM1TEN5SUFCY3FIMkJlRGNtVTFBUVpLSzJWU212OGtmRHRrQ3YzOVZC?= =?utf-8?B?OWt1dVI1WVZOd055T0FPRzBCbmx4bk9ROUJFc1ZLUkFaR1lLRmNmN3hnalVS?= =?utf-8?B?YlF0bWwrYnFRK0VIV2JCS1lPOWZ2aXFWM1JvMVFVb0VGS1lhVm1kbXJxcndl?= =?utf-8?B?MUFEN0VldjNDV3FoeUdPL1c1T0ZPVU1XNS96NVgvaStqTUhxeDJORFFNc2Ew?= =?utf-8?B?VXZyTDBDbDZSL2ZMTnV6M3JVMHpjQ05BdHlhTjlIc0tiQ2FrN2o0Qm1MMWVW?= =?utf-8?B?bXlZcmQyc01uT0tMa1ZTeTdCNXIzZE9xc3dmaldmTUgzWG1HcjNuK0RhRlIx?= =?utf-8?B?ODJkR1YvRzI2Y0pES2daempRakpha2FyaUJkb3c2LzFOVy85Uzc0TkNGTVFn?= =?utf-8?B?NjRXQm9LaVJ1SHBPK296Sis3YnhyTXdtRXROd0VuTTNlNWxnK3dRTFhUYmVF?= =?utf-8?B?WTQyUlZDMDVXcHd6ZE5aTFRLM0wycUhKUVVOMnNQRnBIejAwWmtvSG1Na05y?= =?utf-8?B?OXpabDg3c01ENXFDMndBOWRTek5KV2R5RzJud2FUclczczlrZ0FubjVIWmVE?= =?utf-8?B?Q2xpcGtNaG10ZEhOV2FzS1FwNWh0cnkrWVgyd004cGNBQVlBOWZwdVBVVCti?= =?utf-8?B?d1NmdU13dnY5VXRwclZnYnQvd1Q0WExUNER6N21JV1VlcFQ4Q01GVHdNVThn?= =?utf-8?B?bTU5dTdnTzh5ay9iK0pVRUtYRWZ1eXcxUEpjSHI5Z1ZNYnlBbElSMUU5Uitj?= =?utf-8?B?VEVndng2b1NxRk5tUkZnSVJrdWRUTWEvc3JaZ1cxSjBhOGprd3d2Zjc4UlVQ?= =?utf-8?B?R0hLNCtJOHdTdjg5ckkvMVpYL0MzV1E4Wk5JY21sMmVyQUs4QmNvZis5YVNU?= =?utf-8?B?Z0ttQ1E2UkRNbnZpZnRQL3R5UEZFV0M1M3YvWlk4TThNaCtBMmxRT2dnOU4x?= =?utf-8?B?Q2RyVzhuVmRoMmdBOXpqbWJucnJLdjNsdkFGUmNEdGZXbXNtSXc0UWJhV3F4?= =?utf-8?B?THVhY1lZdzc5MlUwaDc0MUxyVjJGQVJtdjhBeGIwUFVrekJ2Qm0yQTRyTDBs?= =?utf-8?B?S0pUYzBaWk5lWkc1OUpVQ2tFNSsxVCtnajAxMVRoUTRCRHIrYjFIZzltVjVF?= =?utf-8?B?RFEzMjdqamErWnV3R1Jsbnl5dy9MeHB3QjM1b3loQXE2WGNLRURsQT09?= X-OriginatorOrg: garyguo.net X-MS-Exchange-CrossTenant-Network-Message-Id: b865dd44-7653-47d6-7626-08dea147dd69 X-MS-Exchange-CrossTenant-AuthSource: CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Apr 2026 14:51:56.3767 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bbc898ad-b10f-4e10-8552-d9377b823d45 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CKN5MHTBMZJ+mUOtKn8z33yZ+5QVZVtbG7PsdC1nZ7eJscfQ2w0/5L+DYL6qjSkUEihNmRTyi1weLyvldGKMGA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CW1P265MB8468 Instead of having the reference creation serving dual-purpose as both for let bindings and alignment check, detangle them so that the alignment check is done explicitly in `make_field_check`. This is more robust again refactors that may change the way let bindings are created. Cc: stable@vger.kernel.org Signed-off-by: Gary Guo Reviewed-by: Alice Ryhl --- rust/pin-init/internal/src/init.rs | 78 ++++++++++++++++++----------------= ---- 1 file changed, 37 insertions(+), 41 deletions(-) diff --git a/rust/pin-init/internal/src/init.rs b/rust/pin-init/internal/sr= c/init.rs index daa3f1c6466e..0a6600e8156c 100644 --- a/rust/pin-init/internal/src/init.rs +++ b/rust/pin-init/internal/src/init.rs @@ -249,10 +249,6 @@ fn init_fields( }); // Again span for better diagnostics let write =3D quote_spanned!(ident.span()=3D> ::core::ptr:= :write); - // NOTE: the field accessor ensures that the initialized f= ield is properly aligned. - // Unaligned fields will cause the compiler to emit E0793.= We do not support - // unaligned fields since `Init::__init` requires an align= ed pointer; the call to - // `ptr::write` below has the same requirement. let accessor =3D if pinned { let project_ident =3D format_ident!("__project_{ident}= "); quote! { @@ -367,49 +363,49 @@ fn init_fields( } } =20 -/// Generate the check for ensuring that every field has been initialized. +/// Generate the check for ensuring that every field has been initialized = and aligned. fn make_field_check( fields: &Punctuated, init_kind: InitKind, path: &Path, ) -> TokenStream { - let field_attrs =3D fields + let field_attrs: Vec<_> =3D fields .iter() - .filter_map(|f| f.kind.ident().map(|_| &f.attrs)); - let field_name =3D fields.iter().filter_map(|f| f.kind.ident()); - match init_kind { - InitKind::Normal =3D> quote! { - // We use unreachable code to ensure that all fields have been= mentioned exactly once, - // this struct initializer will still be type-checked and comp= lain with a very natural - // error message if a field is forgotten/mentioned more than o= nce. - #[allow(unreachable_code, clippy::diverging_sub_expression)] - // SAFETY: this code is never executed. - let _ =3D || unsafe { - ::core::ptr::write(slot, #path { - #( - #(#field_attrs)* - #field_name: ::core::panic!(), - )* - }) - }; - }, - InitKind::Zeroing =3D> quote! { - // We use unreachable code to ensure that all fields have been= mentioned at most once. - // Since the user specified `..Zeroable::zeroed()` at the end,= all missing fields will - // be zeroed. This struct initializer will still be type-check= ed and complain with a - // very natural error message if a field is mentioned more tha= n once, or doesn't exist. - #[allow(unreachable_code, clippy::diverging_sub_expression, un= used_assignments)] - // SAFETY: this code is never executed. - let _ =3D || unsafe { - ::core::ptr::write(slot, #path { - #( - #(#field_attrs)* - #field_name: ::core::panic!(), - )* - ..::core::mem::zeroed() - }) - }; - }, + .filter_map(|f| f.kind.ident().map(|_| &f.attrs)) + .collect(); + let field_name: Vec<_> =3D fields.iter().filter_map(|f| f.kind.ident()= ).collect(); + let zeroing_trailer =3D match init_kind { + InitKind::Normal =3D> None, + InitKind::Zeroing =3D> Some(quote! { + ..::core::mem::zeroed() + }), + }; + quote! { + #[allow(unreachable_code, clippy::diverging_sub_expression)] + // We use unreachable code to perform field checks. They're still = checked by the compiler. + // SAFETY: this code is never executed. + let _ =3D || unsafe { + // Create references to ensure that the initialized field is p= roperly aligned. + // Unaligned fields will cause the compiler to emit E0793. We = do not support + // unaligned fields since `Init::__init` requires an aligned p= ointer; the call to + // `ptr::write` for value-initialization case has the same req= uirement. + #( + #(#field_attrs)* + let _ =3D &(*slot).#field_name; + )* + + // If the zeroing trailer is not present, this checks that all= fields have been + // mentioned exactly once. If the zeroing trailer is present, = all missing fields will be + // zeroed, so this checks that all fields have been mentioned = at most once. The use of + // struct initializer will still generate very natural error m= essages for any misuse. + ::core::ptr::write(slot, #path { + #( + #(#field_attrs)* + #field_name: ::core::panic!(), + )* + #zeroing_trailer + }) + }; } } =20 --=20 2.51.2 From nobody Wed Jun 17 07:22:58 2026 Received: from LO2P265CU024.outbound.protection.outlook.com (mail-uksouthazon11021075.outbound.protection.outlook.com [52.101.95.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1A88D356A38; Thu, 23 Apr 2026 14:52:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.95.75 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776955927; cv=fail; b=WKHaG9HOs2bKGp79WziXzLtghY+wEI3J72HKaFPEXgER5WXysYXXWkKLtcxlTyHB591UiDpnJl7UaKDv0hz4xK4cECLoZtWwYJF52y14QfflOsqsbj7a+8kRj9v/TuRGrHkKzimD6VE3vrFEhkyGFGgCf7hmdl2NnsDqihp3lAY= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776955927; c=relaxed/simple; bh=YfCycK6pNw8Jb7DiPngKTAasenR5iAqZtvfVeEbrsa0=; h=From:Date:Subject:Content-Type:Message-Id:References:In-Reply-To: To:Cc:MIME-Version; b=bvRlxNXGyCB+j53H6ZZINBs+jSJ2L1DbxvNQ/08PcYS+8hm74gViYX3wDVwYR4OFuAcGZ93tuMHw9cIsf9AUDy49qhHDG1ISwiVmaXzXD8as//AxC/iKt5Pw6pQHSwISZG4GSZ25hOXaBHrycKHUQRBg9kdw+X/zfKj5nbL4s9g= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=garyguo.net; spf=pass smtp.mailfrom=garyguo.net; dkim=pass (1024-bit key) header.d=garyguo.net header.i=@garyguo.net header.b=UNYSMOnJ; arc=fail smtp.client-ip=52.101.95.75 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=garyguo.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=garyguo.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=garyguo.net header.i=@garyguo.net header.b="UNYSMOnJ" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=LOD/R3M3GmFR4avadHpGBSZosL5Vcn6EctKQKA6p+PrPG/rNm2KgV4SzsE/tiF7m+yDHe9mbQ9Fix/WDbKAppZlDpyq77hm9XFxcaYK4cFreqGcCupxWSxYt6PtBBoe/c88JicZDz5FoOQWZpRvh867xYj8RJWzYEutl1fnwd4Ql5H98gr+qsVyBSTD0ne9zFAz0+vQWWW9MkA2TOWI9AKHDlUXe/bc/T1bDrFUC4Mdvzf3JLkAyHM68hlRyGuY4iH57dnsTnhibCx0GiMJ2xjm3lVovvkmScBgsOLqpg5SY3LeTvTUuRO1S677vRy2xqIYZ/Cs7TfjYrN9a9smL3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rBY2oEFvl5WwOTxrTpn3kaNAExssMVBMfaigIhTf1So=; b=K9e+I/jtx81OQAi52ZvdGeC+vxb1M62gv2TrtofVDkPjG2ZAIhqECh1s1ah5TKf0pJeb2XTlmYriipOu/D7BK9oTdW/14zYtZd7JtHhm0qqab0w1k0Jooy+twPFPfniDB4VYDA/TuyB6M4gOsCR3uZ+0hz/bNQeajJA21FFp2Ok/Vi5fb+BT2N5eBnLtclKM1/F+ObKsLjJHzu9pMw34toNL2KERdHNfEKYP/Zt7ioNgxCKug2n5uscoKS2EAsX3jlvFk2ZhJBwOA17har+NZzLYauJdSd6XxhjSEZfqO9C4mo/8JRKYE8qnT5GvIPkplJjhBrYCCIYQvq+c5cuoTg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=garyguo.net; dmarc=pass action=none header.from=garyguo.net; dkim=pass header.d=garyguo.net; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=garyguo.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBY2oEFvl5WwOTxrTpn3kaNAExssMVBMfaigIhTf1So=; b=UNYSMOnJmneDAasoumaC9m0B0S1G/vRyBRctftZ1E8EfZZz2jdvE1ezGZg9yxQFOCE0J47qgqFQDAX2/Zxp0t6YfhN7f0nL/vHqSu45k2gLaiJua9y11f5MWsvlwYr2lNlK91P5QaLRhe697ahfkBlqJfS9sMrxQOAx/dTMfrY4= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=garyguo.net; Received: from CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:27c::13) by CW1P265MB8468.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:26e::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9846.21; Thu, 23 Apr 2026 14:51:59 +0000 Received: from CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM ([fe80::6c9e:93c8:10db:e995]) by CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM ([fe80::6c9e:93c8:10db:e995%6]) with mapi id 15.20.9846.016; Thu, 23 Apr 2026 14:51:59 +0000 From: Gary Guo Date: Thu, 23 Apr 2026 15:51:50 +0100 Subject: [PATCH v2 2/2] rust: pin-init: fix incorrect accessor reference lifetime Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260423-pin-init-fix-v2-2-ee3081093a0e@garyguo.net> References: <20260423-pin-init-fix-v2-0-ee3081093a0e@garyguo.net> In-Reply-To: <20260423-pin-init-fix-v2-0-ee3081093a0e@garyguo.net> To: Benno Lossin , Gary Guo , Miguel Ojeda , Boqun Feng , =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= , Andreas Hindborg , Alice Ryhl , Trevor Gross , Danilo Krummrich Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org X-Mailer: b4 0.15.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1776955915; l=10178; i=gary@garyguo.net; s=20221204; h=from:subject:message-id; bh=YfCycK6pNw8Jb7DiPngKTAasenR5iAqZtvfVeEbrsa0=; b=o8hAyd785afU6Pva6OPSpeztVu/+DhwgQx3yqlRtf9NgkVSMTLIfjRrpsvzo5YQvvq3u56Lt/ FPyXLwduaCABS7RwSJ7lAy8NdrJLDDmpCTignuxKxRa1S1cGkLgxAHr X-Developer-Key: i=gary@garyguo.net; a=ed25519; pk=vB3uIX95SM4eVrIqo1DWNWKDKD2xzB+yLLLr0yOPYMo= X-ClientProxiedBy: LO4P265CA0115.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:2c3::19) To CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:27c::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: CW1P265MB8877:EE_|CW1P265MB8468:EE_ X-MS-Office365-Filtering-Correlation-Id: b5568a75-2f74-4e0c-fd34-08dea147dda7 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|7416014|376014|1800799024|366016|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: SS37+wDCJ5NxbdDfntsP1Tjuz1SMrkKMkormyfwylQPAzro5BWcEo6kei6EIP/tfotcMX9khFNke00VmIq5qjwFivuGKuW+EEWlZutC+OrpcL5zx9YqEtrbnjCnwGBksgUcSDE7L+tlh7feCmqtacmz1aaVVRMtDjmnr+7/97q/vdCfppVSVfo/si6xdLbRc+mOYSm6KF6oE9UHamK67FJRsi9qjnkhjN5fCAbQv4BuCQ6DKmkQwFliRM5vYRbJxYjekIW667J3XypnA1DxeuNG/SWkv6J7GfXFgbHKH1rg87JpfMxcwdXOpSVTrjE+1cmZ8X2Ouv0XMWvgoRQFN4CQceUpspGyaAMt9+6qJEsQhlDtQD9KbjptZfniue2MZuwmGM/NUnkufXMGedrQQPlzKKBcAsK4Cxibs1z3JOT+SIWqftSnG8oGhInZGpJC2K4pmE4ewIaSv3YX6B2EE9E9DWIzrN1fiIcMmw8fziEyC1Os1FcScPJcTZDrQnhaBCVoNYOki3W0PDxQngmxSpSOwA2OwRRE6GzGHMCbh1lgA8tB8GKzieXsh46PqPPdMAmHVX57yDZH9+3pRpMDJO9HhsFj3qXeumqNt80ijY9hOFPhzQ+1er5q9DCU4c/rR+S1WwtGxO4lKQwbDk4WYym0d0JNQymk+Td+7KVlxT/8gsz7PKORg0GW9ZgrcyOPqCAPQgvA/8PnryqixWImTqHeCQ1NAjGsW0jAD8D4po38= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(7416014)(376014)(1800799024)(366016)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?RVpnN2RSZ3dZWWhCV1RUQkxOK0t3aHlGOWl3bHJvS3lMeVZNdW41S0xnME1m?= =?utf-8?B?eHhLM3BGbjBjRS9qaDNOUG5uNkpKZkNqZHQ4ajN2aUVjcnpLUjcrVDJOZUhH?= =?utf-8?B?MTREVFBwZ3FkNStFYnc2d25IcG9ha2s4ZEVWMDdjUCtUR2lSMFRPZGd6akRO?= =?utf-8?B?VTNFV1ZpZGJ6dmRtaFB4OUtpQVgwZCsyQTg1Vms3T2tGaEpFRk1ldUlic05U?= =?utf-8?B?czgrYnNoaDZVb2IveTNKU24wOE5wKzFqRVpDTGd4clhOYVQ3Vld0REJlcWZI?= =?utf-8?B?YjJFYUMxQSthejBnTVdYbG1vWUdVNElXNXM3cXErYTFZcU5BZXF0Y2N5Z1k4?= =?utf-8?B?Nk55M2pnWEZPbjhyY2lzOStLdnBwalU0Y0s1MngyOWVxdUcydFpWR0loeGpj?= =?utf-8?B?b01KOFV1bVJoakVDL0FLMzBLUWY5a0hKWmNtUEM3RGlCb0NxQ1hXVVhvZ1Ax?= =?utf-8?B?RTJLZE1xemV4K09HaUd2YzVRNWxoZE95Syt0aXB1bFhxeGVUTGVHVUpqMi9k?= =?utf-8?B?OW9wQ2ZOb0wvR2p3N2dJOFhvRVRtU0pwMGZuN2NLUXNVbEF1UnNuWXVuT0pU?= =?utf-8?B?a0E2S0UrSjB1d0FhNlJhOVUxQVJ0dzJGZ3lBS09KUk1xb3ErZDBpalNOWmtz?= =?utf-8?B?RG9wZlRabllXTmtvVUUwUGJxaEw3WTdleEtPT0tRZk1JZTd2WmRhdW9KS09I?= =?utf-8?B?Q3F5OHhvU1pRTkJNMldIdDJ5enlSaVE1RndTQjF6dGZMUGtIUlNsMGNzbEt5?= =?utf-8?B?VjhOb1FORDJvL3dvYXM2dnFUcGprY0VDRVowdE05MVgwZUp3aGYwdHRtQjAz?= =?utf-8?B?M2toRG05aklneGJxSm5taW1kL0NTb3RmV25Xd0VlTFloZk1lUC9SdUkyS1BS?= =?utf-8?B?YTkwWkJkMFJNYVFtREwwSVlmZ0VML1g2MEJLeW1lcVFudjVQU2lJS1o2ZytI?= =?utf-8?B?UmozajBWMmwwQmhxT21qWWVrNE9EVjNhY1Awd0ZNbTA2a0ZFYXd4eVVzc3hX?= =?utf-8?B?YzdON3ZUbktwbVkySHpNd1Z6c04yVlhNTFRBY0tQb0hTYlBoQzkrRWhJOEVC?= =?utf-8?B?ek5sS0lIT0cwUE9mNFBQSUpQbHFGb0MyUUVHTjVzbWhZWUFLdE1OVkJKL3Y2?= =?utf-8?B?cENxbnVxSjZWSCtDY2F5ekRLRzhrTUhUZTc3U0cvd2hBZndvd2VTMlc0VHBE?= =?utf-8?B?djVHeTRNK2ExeEp1V2FWZ292c0I3YVZ1SmxBcjNhZ0RXTnVmZFBmaFBweTNU?= =?utf-8?B?VVZDaUlKd1o2Nmwvc2FacXgyWjJqZ0g3K1BtYUo1emdLdytjblJhc2R4U3Qz?= =?utf-8?B?UWNlRW9SMW04d25BTTNLaGFSR0pjWWNYMkZmVmlaaEFJQ041bDB5eStqa213?= =?utf-8?B?NTdNTS9zaW9KRkRpdUdVcEo1dEdGKy94VGd4M2ZKUzk0NFh3d2FoUWRkbEl3?= =?utf-8?B?YldPUzBGTjVhKzl4ZFhFSkxLOHF5Z3Q5YUswcTVycElaSko0U3pjekVNbHRG?= =?utf-8?B?a2U1ejBycmlLUG5ydnh2WmY1elFWY0tkTHZjWExyWEs5ODl0V010em5TbU1w?= =?utf-8?B?WVpoNW5DSExETHJZMDIxQ3FBc3UrZHVZTSszT0xjeVBxUmIvSTVwcytNVkhn?= =?utf-8?B?T3ptbTNzMHpVemIxNHBzOU96dWFteE9DM3RFOXRaMDU4RnV2eEl2TFN0SUpi?= =?utf-8?B?dnJwMElkWiswdS9WanBCbGRBdFFKbUtIRzJXNWIybjdJSFRpTkc3S1BRZFlY?= =?utf-8?B?ZzNoZzFOMkprODB4d1l1bXI0MGw4cDFxaEZhTEppTnJtVzQ4cVAwaWNvdkc0?= =?utf-8?B?MmwyV2JXWFc2cllyZ3JZNlJHS0dlUENRM001cTBBOWdvdmQ3RloyUi9kYno4?= =?utf-8?B?ellCNm1DNHdGUTYySDJacnBoWlZmd2pMek5SbGo5MVZ3MHMrbkI0MnpkWmhM?= =?utf-8?B?K0JUZzBXRUpRYStQREpicjJ2bmcxeTBoYWE0emlFQnpqZXZiUjRRelFvcXdq?= =?utf-8?B?bnl2VGxEWjVsaFZDMUJhRktVSmxIZzVQekhMeFAwdkZ3R25mWENOM0JFZGJZ?= =?utf-8?B?TjQxZkxUcXdCcWE3eWpUTFR3QUx2ZmZlVWZBckRNK0J2WjdYWTQ4Z1RzZnpI?= =?utf-8?B?QlA3ZENHSGZoNzk4cXhWRnd1OWdXVzI4Wmg1NGpyOTFRSjZoSEQzNXo5QjlF?= =?utf-8?B?elBsVzRNNDdZUm1lN0xxejRhR2dTKzQraE5udDAxNloxU1k0ejNhbFdEaXVu?= =?utf-8?B?a2o0cnVsa3U4R3UxdkNhMUo5Qk8zV21iUEROb2lFejRSSUVaK2dvaDRiajR3?= =?utf-8?B?UldvbDRralVNTUtiOGQvNEY0YUYwazJNS1htSi90UDhzajdsV2dtUT09?= X-OriginatorOrg: garyguo.net X-MS-Exchange-CrossTenant-Network-Message-Id: b5568a75-2f74-4e0c-fd34-08dea147dda7 X-MS-Exchange-CrossTenant-AuthSource: CW1P265MB8877.GBRP265.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Apr 2026 14:51:56.7726 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: bbc898ad-b10f-4e10-8552-d9377b823d45 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 79TBXW4MXfnqkR7rkxWQWcU4wXg2DMZM21VZJLyN+B4IX2FpPU9QaMk3au5haMzf52R9psnWCjSc9A6n/kmtSw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CW1P265MB8468 When a field has been initialized, `init!`/`pin_init!` create a reference or pinned reference to the field so it can be accessed later during the initialization of other fields. However, the reference it created is incorrectly `&'static` rather than just the scope of the initializer. This means that you can do init!(Foo { a: 1, _: { let b: &'static u32 =3D a; } }) which is unsound. This is caused by `&mut (*#slot).#ident`, which actually allows arbitrary lifetime, so this is effectively `'static`. Somewhat ironically, the safety justification of creating the accessor is.. "SAFETY: TODO". Fix it by adding `let_binding` method on `DropGuard` to shorten lifetime. This results exactly what we want for these accessors. Fixes: 42415d163e5d ("rust: pin-init: add references to previously initiali= zed fields") Cc: stable@vger.kernel.org Signed-off-by: Gary Guo --- rust/pin-init/internal/src/init.rs | 104 ++++++++++++++++-----------------= ---- rust/pin-init/src/__internal.rs | 31 ++++++----- 2 files changed, 62 insertions(+), 73 deletions(-) diff --git a/rust/pin-init/internal/src/init.rs b/rust/pin-init/internal/sr= c/init.rs index 0a6600e8156c..ad383023c21a 100644 --- a/rust/pin-init/internal/src/init.rs +++ b/rust/pin-init/internal/src/init.rs @@ -249,18 +249,6 @@ fn init_fields( }); // Again span for better diagnostics let write =3D quote_spanned!(ident.span()=3D> ::core::ptr:= :write); - let accessor =3D if pinned { - let project_ident =3D format_ident!("__project_{ident}= "); - quote! { - // SAFETY: TODO - unsafe { #data.#project_ident(&mut (*#slot).#ident= ) } - } - } else { - quote! { - // SAFETY: TODO - unsafe { &mut (*#slot).#ident } - } - }; quote! { #(#attrs)* { @@ -268,51 +256,31 @@ fn init_fields( // SAFETY: TODO unsafe { #write(&raw mut (*#slot).#ident, #value_i= dent) }; } - #(#cfgs)* - #[allow(unused_variables)] - let #ident =3D #accessor; } } InitializerKind::Init { ident, value, .. } =3D> { // Again span for better diagnostics let init =3D format_ident!("init", span =3D value.span()); - // NOTE: the field accessor ensures that the initialized f= ield is properly aligned. - // Unaligned fields will cause the compiler to emit E0793.= We do not support - // unaligned fields since `Init::__init` requires an align= ed pointer; the call to - // `ptr::write` below has the same requirement. - let (value_init, accessor) =3D if pinned { - let project_ident =3D format_ident!("__project_{ident}= "); - ( - quote! { - // SAFETY: - // - `slot` is valid, because we are inside of= an initializer closure, we - // return when an error/panic occurs. - // - We also use `#data` to require the correc= t trait (`Init` or `PinInit`) - // for `#ident`. - unsafe { #data.#ident(&raw mut (*#slot).#ident= , #init)? }; - }, - quote! { - // SAFETY: TODO - unsafe { #data.#project_ident(&mut (*#slot).#i= dent) } - }, - ) + let value_init =3D if pinned { + quote! { + // SAFETY: + // - `slot` is valid, because we are inside of an = initializer closure, we + // return when an error/panic occurs. + // - We also use `#data` to require the correct tr= ait (`Init` or `PinInit`) + // for `#ident`. + unsafe { #data.#ident(&raw mut (*#slot).#ident, #i= nit)? }; + } } else { - ( - quote! { - // SAFETY: `slot` is valid, because we are ins= ide of an initializer - // closure, we return when an error/panic occu= rs. - unsafe { - ::pin_init::Init::__init( - #init, - &raw mut (*#slot).#ident, - )? - }; - }, - quote! { - // SAFETY: TODO - unsafe { &mut (*#slot).#ident } - }, - ) + quote! { + // SAFETY: `slot` is valid, because we are inside = of an initializer + // closure, we return when an error/panic occurs. + unsafe { + ::pin_init::Init::__init( + #init, + &raw mut (*#slot).#ident, + )? + }; + } }; quote! { #(#attrs)* @@ -320,9 +288,6 @@ fn init_fields( let #init =3D #value; #value_init } - #(#cfgs)* - #[allow(unused_variables)] - let #ident =3D #accessor; } } InitializerKind::Code { block: value, .. } =3D> quote! { @@ -335,18 +300,37 @@ fn init_fields( if let Some(ident) =3D kind.ident() { // `mixed_site` ensures that the guard is not accessible to th= e user-controlled code. let guard =3D format_ident!("__{ident}_guard", span =3D Span::= mixed_site()); + + // NOTE: The reference is derived from the guard so that it on= ly lives as long as the + // guard does and cannot escape the scope. If it's created via= `&mut (*#slot).#ident` + // like the unaligned field guard, it will become effectively = `'static`. + let accessor =3D if pinned { + let project_ident =3D format_ident!("__project_{ident}"); + quote! { + // SAFETY: the initialization is pinned. + unsafe { #data.#project_ident(#guard.let_binding()) } + } + } else { + quote! { + #guard.let_binding() + } + }; + res.extend(quote! { #(#cfgs)* - // Create the drop guard: + // Create the drop guard. // - // We rely on macro hygiene to make it impossible for user= s to access this local - // variable. - // SAFETY: We forget the guard later when initialization h= as succeeded. - let #guard =3D unsafe { + // SAFETY: We forget the guard later when initialization h= as succeeded. If we didn't + // forget it, they would not be further accessed again. + let mut #guard =3D unsafe { ::pin_init::__internal::DropGuard::new( - &raw mut (*slot).#ident + &mut (*slot).#ident ) }; + + #(#cfgs)* + #[allow(unused_variables)] + let #ident =3D #accessor; }); guards.push(guard); guard_attrs.push(cfgs); diff --git a/rust/pin-init/src/__internal.rs b/rust/pin-init/src/__internal= .rs index 90adbdc1893b..c3fd7589fd82 100644 --- a/rust/pin-init/src/__internal.rs +++ b/rust/pin-init/src/__internal.rs @@ -238,32 +238,37 @@ struct Foo { /// When a value of this type is dropped, it drops a `T`. /// /// Can be forgotten to prevent the drop. -pub struct DropGuard { - ptr: *mut T, +/// +/// # Invariants +/// +/// `ptr` will not be accessed or dropped after `DropGuard` is dropped. +pub struct DropGuard<'a, T: ?Sized> { + ptr: &'a mut T, } =20 -impl DropGuard { +impl<'a, T: ?Sized> DropGuard<'a, T> { /// Creates a new [`DropGuard`]. It will [`ptr::drop_in_place`] `pt= r` when it gets dropped. /// /// # Safety /// - /// `ptr` must be a valid pointer. - /// - /// It is the callers responsibility that `self` will only get dropped= if the pointee of `ptr`: - /// - has not been dropped, - /// - is not accessible by any other means, - /// - will not be dropped by any other means. + /// `ptr` must not be accessed or dropped after `DropGuard` is dropped. #[inline] - pub unsafe fn new(ptr: *mut T) -> Self { + pub unsafe fn new(ptr: &'a mut T) -> Self { + // INVARIANT: By safety requirement. Self { ptr } } + + /// Create a let binding for accessor use. + #[inline] + pub fn let_binding(&mut self) -> &mut T { + self.ptr + } } =20 -impl Drop for DropGuard { +impl Drop for DropGuard<'_, T> { #[inline] fn drop(&mut self) { - // SAFETY: A `DropGuard` can only be constructed using the unsafe = `new` function - // ensuring that this operation is safe. + // SAFETY: `self.ptr` is not going to be accessed or dropped later. unsafe { ptr::drop_in_place(self.ptr) } } } --=20 2.51.2